Port Forwarding on a Mac

KB Home   |   Port Forwarding on a Mac

When enabling port 80 and 443 on the Mac where the PaperCut App Server is running, it is necessary to use ipfw (IP Firewall) / pf (Packet Filter) to allow port forwarding.

This will allow users to navigate to e.g. http://[servername]/user to access the User Web Page, without having to specify a port.

Note that this is an OS-level function, so there are many ways to get this configured. If you are happy configuring this using another method, and it’s working successfully then please feel free to continue to use that method, and also if you’d like to leave a note in the comments with your method, that’d be great!


OS X 10.9 and earlier:

With earlier versions of Mac OS, ipfw was the primary way to handle firewall changes and port forwarding. With 10.7, the preference was to use PF but the ipfw utility was still included with Mac OS.

As detailed on the original link at the top of this page, with 10.9 and earlier, you can run this command to configure ipfw to forward port 80 to port 9191:

sudo /sbin/ipfw add 102 fwd 127.0.0.1,9191 tcp from any to any 80 in

OS X 10.10 and above:

With Yosemite, ipfw has been removed from the Mac OS X build completely, so running the above command will result in a ‘command not found’ error message. The new method using pf is a little more involved:

1. Create an anchor file

For example /etc/pf.anchors/com.papercut

2. In the com.papercut anchor file, enter:

rdr pass on lo0 inet proto tcp from any to self port 80 -> 127.0.0.1 port 9191
rdr pass on en0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 9191
rdr pass on en1 inet proto tcp from any to any port 80 -> 127.0.0.1 port 9191

make sure you hit ‘enter’ to create a new blank line after these 3 lines have been entered - if you don’t do this, you’ll get error messages about the format of the file

3. Test the anchor file:

sudo pfctl -vnf /etc/pf.anchors/com.papercut

4. Add the anchor file to the pf.conf file:

sudo vi /etc/pf.conf

Then add in the following lines under each corresponding section - e.g. the rdr-anchor line under the current rdr-anchor line, and the load anchor under the current load-anchor statement:
rdr-anchor "port80"
load anchor "port80" from "/etc/pf.anchors/com.papercut"

5. Load the pf.conf file automatically:

This can be done either manually (see below) or create a dedicated Launch Daemon to load and enable the config on boot, or edit the current daemon for pf to enable the new config automatically at startup:
sudo vi /System/Library/LaunchDaemons/com.apple.pfctl.plist

Then within the section detailing the program arguments:
<key>ProgramArguments</key>

Add in an extra string with -e, which will enable the config, as per:

<string>pfctl</string>
<string>-e</string>
<string>-f</string>
<string>/etc/pf.conf</string>

Then save the file, exit and restart the server to test.

Other notes:

To test this method manually (no restart required) you can use sudo pfctl -ef /etc/pf.conf which will load and enable the pf.conf file, which will then call the com.papercut anchor file.

Additionally, if you want to try this out without making any changes to config files, you can test this temporarily (it will not retain the settings after a restart) by running:

echo "
rdr pass on lo0 inet proto tcp from any to self port 80 -> 127.0.0.1 port 9191
rdr pass on en0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 9191
rdr pass on en1 inet proto tcp from any to any port 80 -> 127.0.0.1 port 9191
" | sudo pfctl -ef -


Categories: Implementation / Deployment, Apple Mac OS X


Keywords: mac, yosemite, port forwarding, 80, 443, ipfw, command not found

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on June 08, 2015, at 09:00 PM
Printable View   |   Article History   |   Edit Article